8260984 2002-04-08 10:39 -0700  /130 rader/ Steve Gustin <stegus1@yahoo.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-09  01:28  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21772>
Ärende: multiple CGIscript.net scripts - Remote Code Execution
------------------------------------------------------------
From: Steve Gustin <stegus1@yahoo.com>
To: bugtraq@securityfocus.com
Message-ID: <20020408173953.41082.qmail@web13401.mail.yahoo.com>

multiple CGIscript.net scripts - Remote Code Execution
---------------------------------------------------------------------
Name      : multiple CGIscript.net scripts -
            Remote Code Execution            
Date      : April 8, 2002
Product   : csGuestbook
            csLiveSupport
            csNewsPro
            csChatRBox
Vuln Type : Access Validation Error
Severity  : HIGH RISK

Vendor    : WWW.CGIscript.NET, LLC.
Homepage  : http://www.cgiscript.net/


DISCUSSION:
---------------------------------------------------------------------
CGIScript.net distributes a number of free and
commercial perl cgi scripts developed by Mike Barone
and Andy Angrick.  Last month a Remote Code Execution
vulnerability was found in their csSearch product,
further research and information provided by the
Vendor has revealed that four (4) additional scripts
have the same vulnerability.

These scripts are: 

csGuestBook   - guestbook program
csLiveSupport - web based support/chat program
csNewsPro     - website news updater/editor
csChatRBox    - web based chat script

These scripts stores their configuration data as perl
code in a file called "setup.cgi" which is eval()uated
by the script to load it back into memory at runtime. 
Due to an Access Validation Error, any user can cause
configuration data to be written to "setup.cgi" and
therefore execute arbitrary perl code on the server.


EXPLOIT: 
---------------------------------------------------------------------
Configuration data is (typically) saved with the
following URL.  

scriptname.cgi?command=savesetup&setup=PERL_CODE_HERE

Note that any perl code would need to be URL encoded. 
A malicious user could essentially execute any
arbitrary perl code or shell commands.  Only
csChatRBox was tested for this vulnerability, however,
Vendor stated the other scripts were also affected.

SysAdmins wanting to scan for affected scripts should
check for the following filenames: "csGuestbook.cgi",
"csLiveSupport.cgi", "csNews.cgi", "csChatRBox.cgi".


IMPACT:
---------------------------------------------------------------------
Because of the high number of users who are using
CGIscript.net scripts (over 17,000 csSearch users
alone according to the website) and the fact that
search engines can easily be used to identify sites
with the unique "csScriptName.cgi" script names, the
risk posed by these flaws is very high indeed.  

Additionally, because the Vendor does not post version
numbers or changlogs (that we could find) on their
website or with their software, and because the
patched version of csChatRBox has the same version
number of the vulnerable version (1.0), it may make it
more difficult for users to determine whether or not
their script is vulnerable or not.


VENDOR RESPONSE
---------------------------------------------------------------------
Vendor has released updated versions of all the
affected scripts to patch the flaws.

Vendor was notified of the problem with csChatRBox on
Mar 28th.  At that time they stated that they were
already aware that the problem and that 4 more scripts
(besides csSearch) were affected .. csGuestbook,
csLiveSupport, csChatRBox, and csNewsPro.

Vendor posted a notice on their site about the
csChatRBox script but stated that because they were
contacting each customer individually for the
purchased scripts they did not feel a web site posting
was warranted.


VENDOR HISTORY:
---------------------------------------------------------------------
March 25, 2002 - csSearch.cgi - Remote Code Execution
http://online.securityfocus.com/archive/1/264169


DISCLAIMER
---------------------------------------------------------------------
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.


FEEDBACK:
---------------------------------------------------------------------
If anyone has any other CGIscript.net scripts they'd
like me to take a look at, just drop me a line at
stegus1@yahoo.com.


__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/
(8260984) /Steve Gustin <stegus1@yahoo.com>/--------